With iOS 13, Apple locks out apps from accessing users’ private notes in Contacts

Apple is closing a loophole that allowed app developers to access users’ potentially sensitive and private data. With the launch of iOS 13, apps that request access to users’ Contacts will no longer be able to read the data in the “Notes” field of those address book entries.

For years, security professionals have warned people not to store private information in their phone’s Address Book because it’s not protected or encrypted in any way. And that makes it vulnerable.

Yet, people continued to use their Address Book as a makeshift password manager. Or they would enter a variety of other private information into the Notes field in Contacts.

Perhaps they’d note their ATM pin code, the door code for their home, a vault code, a Social Security number, credit card information and more. They may also have written down private notes about a person that they wouldn’t want shared.

However, when an iOS app asked for access to a user’s Contacts, it would receive all this data from the Notes field, in addition to the name, address, email and phone number stored.

At Apple’s Worldwide Developer Conference this week, the company announced that would no longer be the case.

The Notes field, Apple said, could include potentially sensitive details like sneaky comments about the boss. In reality, many users’ Notes field may have contained much worse than that.

The company explained that most apps have no need to request this private Notes data, so this change won’t impact them. However, if an app developer does believe it has a valid reason for accessing the Notes field, they’ll be able to file a request for an exception.

Most users probably didn’t think too much about this problem. After all, those who were smart enough not to use their Address Book for sensitive information won’t care about this change because it doesn’t impact them.

And those who didn’t know any better now have Apple stepping in on their behalf to make sure their private data stays private.